New format proposes images to replace passwords

Your next password could be a picture of a frog. Who doesn't like frogs?

Most people who are employed in a position where they access a computer using a username and password are probably all-too familiar with mandatory password changes. The basic password has been the weak link in computer security since the beginning of computer security. Like all things tech, it's only as strong as the person using it - and when selecting and changing passwords, all sorts of things can go wrong and users tend to choose a password which is easy to remember.

That leaves hackers with a fairly predictable pool to choose from; important dates, names of significant people in our lives, where one finished school, etc. Even the most random combination of letters and numbers can be brute-forced without too much effort, provided enough time and/or a powerful enough computer.

However, a meeting this week of the Computer and Communications Security Division of the Association for Computing Machinery (what a title!) examined and discussed a new proposal in password security: the Draw a Secret method.

The DAS method relies on the fact that the human brain ties images into more synapses than it does words, so humans are able to recall complicated images better than they are able to remember random letter-number passwords. DAS isn’t a new concept, but it has always failed usability tests due to a user’s inability to redraw an image precisely enough for an algorithm to pick it up.

This new implementation provides the user with an existing image, then records where on the image the user draws the picture while allowing a higher tolerance for exact pixel reproduction. This also helps to trigger muscle memories in a user, enabling easier and more exact reproduction.

As of now the system is only intended for devices with a touch-sensitive input, which could include many smartphones, laptops, and even touchpads designed for PCs. In preliminary testing, users created passwords with an additional 10 bits of extractable data compared to passwords created without a background image. In addition, 95% of users were able to recall their passwords a week later.

Excited to draw your login, or is this just another gimmick? Share your thoughts over in the forums.

Sounds viable, if not a bit crazy. Fortunately for me, my laptop remembers my passwords when I type them into a website for a first time and just lets me swipe the fingerprint reader to login on future occasions.

ugh, as an it guy, i'd hate to have to explain to new users "you need to draw in a complex password using more than 7 colours, not including your picture and it must have oil, water, pastel, and/or ascii art included" :p

the other problem is, i can remember the image but i'm no renoir so don't expect me to draw even a similar picture twice which means it'd have to be something relatively simple and that would be hackable using the same brute force tactics as now, ie a picture of mickey mouse, etc.

Surely: If pictures are easier for the human brain to remember and generate then it's easier for a person to hack and guess? Especially if the picture just has to be CLOSE to similar, not identical?

Also, how complex do they have to be? In order to provide decent protection it would have to have a fair bit of detail in, right? I don't want to be hampered with drawing stuff for 2 or 3 minutes everytime I log on...

Good: Extremely hard to hack, easy to use (not like you're going to forget your finger or eye)
Bad: it's a stone cold bitch to change the enrollment when your password changes, administrator/group accounts that are accessed by more than one person would not be able to use biometrics, or then only a max of 10 people (1 for each finger) plus if you have a local admin account on each domain computer for IT guys, you'd have to enroll your finger print on every computer, that'd suck.

The current multiple authentication mash up is really where everybody needs to go. Smartcard, strong password, biometrics, RFID, etc.

drawings would really only be used as a complement to the other authentication methods, and like CardJoe said, i'd hate to have to draw in my stupid mickey mouse picture for 2-3 minutes just to be able to start work, that'd be a bad thing Monday morning pre-coffee.

Originally Posted by Hells_BlissBiometrics has its good points and bad points like everything else.

Good: Extremely hard to hack, easy to use (not like you're going to forget your finger or eye)
Bad: it's a stone cold bitch to change the enrollment when your password changes, administrator/group accounts that are accessed by more than one person would not be able to use biometrics, or then only a max of 10 people (1 for each finger) plus if you have a local admin account on each domain computer for IT guys, you'd have to enroll your finger print on every computer, that'd suck.

The current multiple authentication mash up is really where everybody needs to go. Smartcard, strong password, biometrics, RFID, etc.

drawings would really only be used as a complement to the other authentication methods, and like CardJoe said, i'd hate to have to draw in my stupid mickey mouse picture for 2-3 minutes just to be able to start work, that'd be a bad thing Monday morning pre-coffee.

I must admit I fail to see why you think biometric would be so difficult to roll out...

first of all would the whole point of using biometric identification (like fingerprints) not make changing "passwords" unnecessary and if you did.. what are you going to do after they have used all their 10 fingers..(ask them to use toes?).
Since biometric identification is so difficult to hack I see no reason why you could not have several "passwords/fingerprints" for one account (that's if you want to limit the number of admin accounts) or all IT admins could have their own account. I guess depending on your network the number of people needing access to a local account will wary, but even then i think the security advantage is worth the slight hassle of getting local accounts set up for admins where needed. Also there is no reason why the biometric data cannot be copied (although it might prove a security problem) so that people can have local accounts set up without the actual user being present.

first of all would the whole point of using biometric identification (like fingerprints) not make changing "passwords" unnecessary and if you did.. what are you going to do after they have used all their 10 fingers..(ask them to use toes?).

Originally Posted by Dr. StrangeloveI must admit I fail to see why you think biometric would be so difficult to roll out...

first of all would the whole point of using biometric identification (like fingerprints) not make changing "passwords" unnecessary and if you did.. what are you going to do after they have used all their 10 fingers..(ask them to use toes?).
Since biometric identification is so difficult to hack I see no reason why you could not have several "passwords/fingerprints" for one account (that's if you want to limit the number of admin accounts) or all IT admins could have their own account. I guess depending on your network the number of people needing access to a local account will wary, but even then i think the security advantage is worth the slight hassle of getting local accounts set up for admins where needed. Also there is no reason why the biometric data cannot be copied (although it might prove a security problem) so that people can have local accounts set up without the actual user being present.

Well, the only experience i've had is with the IBM thinkvantage software, other software might be better but when you enroll a finger print on the ibm it enrolls it on one finger. you can use only your 10 fingers with that software. Also, if you're in a domain environment or are security conscious at all, you will/should change your password every 90 days. You can unenroll a finger, but like I said with the IBM software it's a stone cold bitch to do.

As to the local accounts, say i'm the it admin that set everything up; my finger print is enrolled on all the systems. I die in a car crash/get fired for watching porn. My replacement will not be able to log in with the biometrics, only with the password. he will then need to go to every system and enroll his finger print. This IT guy is in charge of 600 computers, 200 of which are laptops with remote sales guys. It'd be near impossible for him to unenroll me and reenroll his prints

I'm not sure if you can copy the biometric data, i'm not sure where the hashed file would be or what else it contains, say it holds the fingerprints for all enrolled users on that computer, you copy that file onto somebody elses computer that already has enrollments and you're either not going to log on or they're not going to be able to...or the software corrupts and you're both screwed :p

Like I said, it has it's good points and bad points. It's ideal for a sales guy thats the only one using the computer, but it's hard to administer from a domain or enterprise level.

I have to say I'm a bit confused. I used to use a scribble to identify myself when I bought things in shops. But apparently that wasn't safe enough so I then had to use a 4-number PIN. And now we're going back to scribbles?

I think some people are confused about the exact way some of this works.

AFAIK, biometric fingerprint readers store a hash of your fingerprint data in the reader itself and when software asks for authentication, you swipe the finger and the reader passes the password to the application.
The software will still accept a password I think and as such, biometric fingerprint readers are only as strong as the password you use.
It just means instead of having to remember a 20char password, you can swipe your finger.

I'm not sure if you get corporate versions of this, where you can tie personal info/biometrics to a domain user account and allow that account to access the domain on any machine with a compatible reader.
If not, then it pretty much reduces biometrics to a useful way to remember your passwords, in much the same way as your browser might remember your passwords for you.

This picture idea however sounds interesting.
I can't see a way for hackers to brute-force this method other than have a robotic arm drawing millions of random images.
Assuming the algorithms behind the method are robust and not susceptible to cryptanalysis (like WEP for example).
And they have refined the method slightly from giving you a blank canvas.
They provide a sample image which might be a 3x3 grid of boxes for example.
All you need to do is draw a circle in box one, a cross in box 4 and a squiggle in box 8 and I'd assume you'd have a pretty strong password.
I don't think you'd need to re-create the mona-lisa just to log into the bit forums... :D

And if you consider that having the pre-provided image effectively allows you to create passwords (or should that be passpictures? :D) much more accurately and with, on average, 10 extra bits, you can start to see the appeal.
10 bit is in effect an 18 char password instead of an 8 char one.
So several orders of magnitude more secure.

I think it'll be interesting to see where this goes. :)

Quote:

Originally Posted by CardjoeSurely: If pictures are easier for the human brain to remember and generate then it's easier for a person to hack and guess? Especially if the picture just has to be CLOSE to similar, not identical?

Not at all. If you give us both a blank piece of paper and ask us to draw the first things that come to our heads, we'll almost certainly draw something completely different.
Now ask us to try and guess what the other drew and re-create it without seeing it and I think we'd be there til the end of time.
Only problem I can see is if someone saw you drawing your secret, but its no worse than someone watching you enter your password/pin etc now.

Quote:

Originally Posted by CardjoeAlso, how complex do they have to be? In order to provide decent protection it would have to have a fair bit of detail in, right? I don't want to be hampered with drawing stuff for 2 or 3 minutes everytime I log on...

I don't think you'd need to.
If you think of my example above with the 3x3 grid, you might only need to draw something in three of the boxes to have a strong password/picture thing.

Quote:

Originally Posted by tommI have to say I'm a bit confused. I used to use a scribble to identify myself when I bought things in shops. But apparently that wasn't safe enough so I then had to use a 4-number PIN. And now we're going back to scribbles?
Oh lordy.

I can see your point but if you think of it, your signature is easy to copy if someone is able to study it.
Also, that method relied on a human comparison to what you wrote to what's on the card.
This will rely on a computer alanysis, so even though the pictures will allow some tolerance for differences, it'll still be much more accurate.
Pin numbers for security is a joke IMO and I think signatures were probably more secure... :D

Originally Posted by TommI have to say I'm a bit confused. I used to use a scribble to identify myself when I bought things in shops. But apparently that wasn't safe enough so I then had to use a 4-number PIN. And now we're going back to scribbles?

Oh lordy.

^^ LOL

Quote:

Also, if you're in a domain environment or are security conscious at all, you will/should change your password every 90 days.

Well if the biometric login does not negate the need to change "passwords" then there is really not much point at all (unless you get fired after having changed your password twice, if you use eyes, 10 times if you use fingers (20 times if you include the toes but that might get smelly). The only way I can see you changing "passwords" with biometric identification is if the reader actually only uses say 1/1000 of the datapoints it reads and randomly chooses them, which means statically you can make quite a lot of "passwords" with the same finger.

Quote:

I die in a car crash/get fired for watching porn.

I assume that if you got fired you would be asked to supply your fingerprint so that another admin could take over, if you die, they just cut off your finger:|
as for a network with as many computers as you describe I would certainly hope that there was more than one admin.. or he would be one hell of a busy man. At least for windows networks remote/laptop users still use their network account to log in.

Finally I have no idea of whether there is software available that can do what I suggest at the moment, my point is that I don't see why biometric data could not be rolled out as the login method of enterprise sized networks.

Originally Posted by Dr. Strangelove^^ LOL
Finally I have no idea of whether there is software available that can do what I suggest at the moment, my point is that I don't see why biometric data could not be rolled out as the login method of enterprise sized networks.

Well, it can and has been. You'd need a corporate application installed to do this though, the IBM software wouldn't suffice. Also, you'd use it as a multiform authenication ie: you swipe your finger print, put in your smartcard, and enter your password. You can do this, you just need to enable EAP/TLS authentication on the domain.

As a side note, I was watching Myth busters the other week and they were able to fool a fingerprint reader quite easily, they just got a dotmatrix printer to print out a fingerprint and then read it through the reader, kinda like the movies :p

I'd be worried about what happens when the computer crashes and the repair guy can't reproduce the scribble-as-password. One work-around would be to have the owner set up an unpassworded admin account before taking it in, but if it's really messed up he/she may not be able to do that. The other option would be to have the owner come in and physically enter the password at the appropriate point in the repair process - can you say pain in the neck?

It's still an interesting idea, though. Maybe it'd be good for web-based logins. Although if you give people a background image to draw on, I'll bet that 90% will just trace some of the major visible lines, which would be incredibly easy to hack.

Originally Posted by airchieI think some people are confused about the exact way some of this works.

...biometric fingerprint readers store a hash of your fingerprint data in the reader itself and when software asks for authentication, you swipe the finger and the reader passes the password to the application.
The software will still accept a password I think and as such, biometric fingerprint readers are only as strong as the password you use.
It just means instead of having to remember a 20char password, you can swipe your finger...

Not on all cases. Fingerprint scanners on laptops do that since regular web applications are not intended to accept anything but a password. The scanners used to open doors and such don't actually use a password. They do a direct comparison of what the scanner is reading when you put your finger on it and comparing it to what it had stored previously. The same method could be implemented on computer software to avoid the use of passwords.

When it comes to setting up local accounts for admin staff, most companies have an image of how every type of computer they use should be like so they don't have to actually install everything from scratch in case an HDD or similar breaks down. Those images have the admin account already set up with a custom password that was created a the time of creating the image. I guess it would work with biometrics as well. The only problem would be when implementing it for the first time when you would surely have to go to every computer to set it up, but would be a one time thing, unless there was some way to set up the local accounts through the network as a one time thing or something.

Originally Posted by EmJayI'd be worried about what happens when the computer crashes and the repair guy can't reproduce the scribble-as-password. One work-around would be to have the owner set up an unpassworded admin account before taking it in, but if it's really messed up he/she may not be able to do that. The other option would be to have the owner come in and physically enter the password at the appropriate point in the repair process - can you say pain in the neck?

Really depends how bad the PC is messed up.
Entering passwords and drawing passpics both require the OS/software/app to be functioning in some way.
If it's functioning enough to accept passwords, it's likely be functioning enough to allow the removal of the password for maintenance.
If the PC is badly b0rked, it likely won't accept either form of authentication and will need a reinstall etc.
But there is a lot of grey areas for scenarios like this... :/

Quote:

Originally Posted by EmJayIt's still an interesting idea, though. Maybe it'd be good for web-based logins. Although if you give people a background image to draw on, I'll bet that 90% will just trace some of the major visible lines, which would be incredibly easy to hack.

Not really.
Even if you just traced the lines provided, the order they were traced in could also be taken into account.
Plus, if that was the person's attitude to security they'd deserve to get hacked.
They'd probably have set their password as 'god' or 'sex' anyway... :D

Quote:

Originally Posted by war-rastaNot on all cases. Fingerprint scanners on laptops do that since regular web applications are not intended to accept anything but a password. The scanners used to open doors and such don't actually use a password. They do a direct comparison of what the scanner is reading when you put your finger on it and comparing it to what it had stored previously. The same method could be implemented on computer software to avoid the use of passwords.

Like I said, I'm not even sure how others on the market operate, just using my laptop's one as an example. :)

Originally Posted by airchieI think some people are confused about the exact way some of this works.

AFAIK, biometric fingerprint readers store a hash of your fingerprint data in the reader itself and when software asks for authentication, you swipe the finger and the reader passes the password to the application.
The software will still accept a password I think and as such, biometric fingerprint readers are only as strong as the password you use.
It just means instead of having to remember a 20char password, you can swipe your finger.

I'm not sure if you get corporate versions of this, where you can tie personal info/biometrics to a domain user account and allow that account to access the domain on any machine with a compatible reader.
If not, then it pretty much reduces biometrics to a useful way to remember your passwords, in much the same way as your browser might remember your passwords for you.....

There is atleast 1 corporate version of the biometric fingerprint software that im aware of. All fingerprint data is stored on a server on the domain and every time a user swipes their finger it sends the request to the domain same as if it were a typed in password. Cant remember what its called as i was very tired and not paying as much attention as i should have been at that corporate dinner :p no need for fingerprints for local admins - just set up local admin passwords as normal.

That's the beauty of it though, some like to draw massive boobs with small nips, some the opposite, some might even draw the three-titted bird off Total Recall. :D
Even if everyone's passpics were boobs or willies, it still wouldn't be that hackable IMO. :)